True IP spoofing or not?


Recommended Posts

Hello

Every less than a minute or so, I am getting this in my Firewall log page:

From: 192.168.1.1 To: 224.0.0.1 attack block

IGMP src port:00000 dest pot:00000 ip spoofing

Is this really true? Is it something I should look at? My network is 192.168.100.x

Thank you

Link to comment
Share on other sites

Those 224.0.0.xxx addresses are part of the Cicso IOS(router and switch operating system). It is part of the new IGMPv2 standard and is used by Linksys routers also, as they are owned by Cisco. I don't know whether other brands use it or not. I'm guessing they do as it is a standard. They are for intranetwork communication. Here is a webpage that sheds some light on how it operates:

http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a00800a3e2b.shtml

jasper

Source. I couldn't tell you if that's true or not, though.

Link to comment
Share on other sites

Source. I couldn't tell you if that's true or not, though.

The thing is, how is it coming from a 192.168.1.1 address?

Does this mean there is a 192.168.1.1 on my LAN network.....or is it possible it is from somewhere else outside my LAN?

The thing is I think it eventually blocks my router, turns off internet access, and I have to restart my router to get back internet...

Link to comment
Share on other sites

The thing is, how is it coming from a 192.168.1.1 address?

Does this mean there is a 192.168.1.1 on my LAN network.....or is it possible it is from somewhere else outside my LAN?

The thing is I think it eventually blocks my router, turns off internet access, and I have to restart my router to get back internet...

192.168.1.1 is an internal IP address. If you haven't set up your network in any special way, then 192.168.1.1 would more than likely be the IP address of your router.

Link to comment
Share on other sites

192.168.1.1 is an internal IP address. If you haven't set up your network in any special way, then 192.168.1.1 would more than likely be the IP address of your router.

That's the thing: My router's IP is NOT 192.168.1.1 We don't have a 192.168.1.1 in the network as all the network is 192.168.100.x That is what puzzles me and worries me.

Link to comment
Share on other sites

That's the thing: My router's IP is NOT 192.168.1.1 We don't have a 192.168.1.1 in the network as all the network is 192.168.100.x That is what puzzles me and worries me.

Download and run this, http://www.nirsoft.net/utils/fastresolver.html, and see if 192.168.1.1 is alive and then read the hostname. Also try navigating to that IP in your browser and see if it brings up the router page, sometimes it will be accessible on many addresses! Don't fret mate, it's only local traffic here so (hopefully) nothing malicious (of any great concern) is happening.

Link to comment
Share on other sites

Where are you seeing this?? On your machine, or on your router firewall?

As stated its multicast - be it outside your network or inside your network, its quite possible there is a 192.168.1.1 device - this is a common IP for many devices.

That info given is pretty useless - if on your machine can you sniff the traffic, and then we could hope to get the mac address. From the mac address we should be able to get the maker of the nic the packet is coming from.. So we would know if say its linksys or netgear, etc.

This might give you a clue to what its coming from if inside your network. If outside your network, its typical internet noise - why are you logging it?

Link to comment
Share on other sites

It just sounds like a misconfigured device is trying to send multicast data (I'd say somebody has plugged in a router or modem, 192.168.1.1 is a common default IP for these devices)

Link to comment
Share on other sites

It sounds like a Bonjour kind of Device, Airprint, Wireless Printers etc. They have been driving me crazy the past few days. Trying to get a HP Wireless printer working on a Cisco Access Point! Can I hell as get it working. Logged a TAC Case with Cisco. But we see the same traffic when Multicast devices are connected to the network such as those I have listed.

Link to comment
Share on other sites

It sounds like a Bonjour kind of Device, Airprint, Wireless Printers etc. They have been driving me crazy the past few days. Trying to get a HP Wireless printer working on a Cisco Access Point! Can I hell as get it working. Logged a TAC Case with Cisco. But we see the same traffic when Multicast devices are connected to the network such as those I have listed.

Hey mate what's wrong with the HP printer? Can you get a ping back?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.